do I need to mirror a specific port? Which one? Why can't I connect to any availble port on that switch and sniff the network? thanks rubix
On Thu, 23 Dec 2004 14:01:51 -0500, Candee Vaglica <[EMAIL PROTECTED]> wrote: > That's what I meant. > ;) > Thanks, Roger. > > On Thu, 23 Dec 2004 10:59:56 -0800, Roger Seielstad > <[EMAIL PROTECTED]> wrote: > > The way to track this down it so network scan on your egress router's > > interface. It should be relatively trivial to filter for the traffic based > > on destination port, and that will give you the MAC address of the sender > > (that is VERY much harder to spoof - not impossible, but a heck of a lot > > harder). > > > > >From that, you can look at the ARP table of the router and the MAC address > > will be there from the *valid* traffic the machine is doing. You can > > guarantee that by ping sweeping the LAN, just in case. Then you're just > > matching MAC to MAC and you get the right IP address. > > > > Heck, I think there's perl code that will do most of that for you - I know > > we've got a MAC hunter app at work that does something similar to this to > > find the name of machines when all we have is a MAC address. > > > > -------- > > Roger Seielstad > > E-mail Geek & MS-MVP > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > > > Sent: Thursday, December 23, 2004 8:30 AM > > > To: [email protected] > > > Subject: RE: [ActiveDir] worm (very very OT) > > > > > > we're a switched network. i'd have to go to every pc(500) and > > > run it. i'm trying to avoid that. might as well run netstat > > > -an on all pc's. > > > > > > ethereal won't tell me the real address. > > > > > > thanks > > > > > > -----Original Message----- > > > From: Candee Vaglica [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, December 23, 2004 11:16 AM > > > To: [email protected] > > > Subject: Re: [ActiveDir] worm (very very OT) > > > > > > > > > Use a network scanner, like Ethereal to monitor the traffic. > > > > > > > > > On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom > > > <[EMAIL PROTECTED]> wrote: > > > > this is way off and i apologize but you guys are really > > > knowledgable and such a great help, i thought i'd try here. > > > > > > > > i have a number of pc's infected with some wom that goes > > > out on port 10000 tcp and tries to attemp a DOS attack. > > > > > > > > I don't know the worm and a google searched didn't really > > > turn anything up. > > > > > > > > here's the thing. the worm uses a spoofed source address. > > > my question is, is there anyway to track down a spoofed > > > address internally to the real address? > > > > > > > > I don't know how to find the infected pc's. > > > > > > > > thanks > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
